moderated Re: Two issues in joining a group #bug


Malcolm Austen
 

On 28/01/2021 22:43:47, Duane <txpigeon@...> wrote:

On Thu, Jan 28, 2021 at 04:03 PM, Malcolm Austen wrote:
user set [NC]
Just to make sure you understand, they're only set to NC if they don't already have a groups.io account.
Malcolm Austen: 
Thanks Duane, I was not aware of that (or if I was, I have forgotten!)

That seems to say that if person A is already a member of one group (and therefore has an account) then person B (a baddie) can, by spoofing the sending address, subscribe person A to arbitrary numbers of other groups.

That would be a seriously worrying security flaw.
They should also get 2 separate emails, one to confirm their email address if they don't have an account, the other to confirm that they really want to join a group.
Malcolm Austen: 
This was an address never before presented to groups.io - two emails were received but not as you describe. One was the group welcome message (implying the membership process was complete) and the second was a dual function message:

Subject: Confirm your join-ken-eng@... email address

Body (my italics and links stripped):
Hello,

Thank you for your interest in the https://KENT-ENG.groups.io/g/all-Kent group at Groups.io. If you did not request or do not want to join all-Kent@KENT-ENG.groups.io, please ignore this message.

If you only want to send and receive messages from all-Kent@KENT-ENG.groups.io, reply to this email to confirm your email address and activate your membership.

Messages will be sent to you at join-ken-eng@...
Send messages to all-Kent@KENT-ENG.groups.io
If you want to use the resources and read messages on the website, please click on the link below to confirm your email address, set up a password, and choose other subscription settings:

Confirm account


Cheers,
The Groups.io Team
I know there's a list showing the complete sequence someplace, both with an account and without, as well as restricted group or not.
Malcolm Austen: 
If it still represents the actuality then it would be interesting to see. My report concerned an unrestricted group BTW.

Malcolm.

Join main@beta.groups.io to automatically receive all group messages.